Re: Firing off Abuse email based on Snort Traffic

["Michael H. Warfield" <mhw () wittsend com>]

On Thu, May 29, 2003 at 04:03:20PM -0700, Matt Howell wrote:
> On Thu, 2003-05-29 at 15:44, Erek Adams wrote: 
> > For the most part I'd have to side with Matt Kettler on this.  I've worked
> > in Security and Abuse at a large ISP before...  If I got multiple emails
> > that say 'One of your dialup users portscanned X machines on my network',
> > I'd be real tempted to add that email address to the /dev/null procmail
> > filter.  

> As I mentioned in my previous post, I am looking for something that
> sends 1 email per ISP per every 48 - 72 Hour period.  Having worked in
> my clients' own IT department, I know the frustration of being spammed
> with support requests.

        To put it bluntly...  Don't do it.  Even that can be turned
against you...  It has happend before...  It will happen again...
You could be next.  Take it right out of that stupid new TV show...
You could be next...

        Actual occurance...  Set your way-back machine Mister Peabody to
a couple of years ago when a "well known" security professional (who
shall remain un-named to protect the guilty and terminally (sic, sorry
pun alert) stupid) set up his site to E-Mail back nasty grams when anyone
connected to his telnet port.

        Anyone connecting to this in-DUH-vidual's site got a nasty banner
about attempting to hack his site.  He also sent E-Mail to abuse and
postmaster and root and the POC (Point of Contact) addresses for the source
domain, network address assignment, domain DNS servers, and network address
DNS administrators.  About a dozen or so E-Mails would typically be
generated for this rather degenerate "port scan" if you will...

        So...  Word got out...  Snickers round about...  Looks exchanged...
Plots were laid...  

        A page was created...  A web page...  And such a page it was...
It was a page with mighty pr0n.  A glorious thing to behold.  And in
amoungst the pr0n where image tags.  And such image tags they were.
Image tags that were web bugs they were.  Web bugs pointing to said
security professional's site and port number...  And this glorious thing
of dark art was left to mature in the rich fertile fields of web spiders...

        Within a week or so of the web spiders doing their jobs and that
glorious page of old making an appearance amongst the high hitters in the
pr0n searches, said researcher's site was emitting E-Mail like the big
bang (sic, damn, two puns in one message - damn....) all over again directed
at thousands of administrators of sites all over the world for poor
unsuspecting pr0n afficienados who browsed this page.  Of course, he and
the admins could not tell WHAT page generated the action that caused sooo
much consternation and heaven forbid the individuals (when and where they
could be identified) who browsed said page even remember (much less admit)
what page they browsed...

        For the record...  I am neither that security researcher (though
he and I cross swords on occasion on several mailing lists) nor am I one of
the perps that made a flaming fool of him (DAMN!  Missed one hell of an
opportunity there...  I swear I would have been there with bells one...).

        Any reaction system is prone to being turned against you the
moment an adversary figures out what you are doing.  Always take that
into consideration.  If you do this...  What happens when they figure
it out and do that in response...  You can rate limit to one message to
a particular address or E-Mail per day or so but what happens when someone
sets it up to be triggered by a couple thousand different sites?  And then
YOU have to deal with the responding backscatter of bitches and complaints
AND ROBOTS AND AUTORESPONDERS...

> > To be quite honest, don't send email.  It's almost a waste of time in many
> > cases.  Your best result is to actually pick up the phone and call.
> > Direct interaction with someone is an excellent way to get something done.
> > The person on the phone might actually hear the urgency in your voice,
> > where 'reading the urgency' from an email just might not happen.

> I totally agree.  Unfortunately, a considerable amount of our scans are
> coming from the Asia Pacific area.  APNIC often only returns an email
> address for abuse and no phone number.  The client that I am involved
> with currently, is in the Medical field and has ramped up recent
> security efforts in response to the recent HIPAA regulations and
> dramatic network compromises (thus the reason Snort was deployed).

        The two IP addresses in the original message came from Australla
and Korea.  Good luck on getting anything done.  Anything you do is just,
AT BEST, an exercise in auto-eroticism.  If it makes you feel good, go
for it.  Just don't expect much in return.  And expect some sensitive
questions and some very quier looks if you get caught at it.  You can
neither proclaim ignorance nor innocence, when you do.

> How do other administrators handle genuine attacks and Portscans from
> International sources?

        Port scans...  Ignore.  International or otherwise.  Ignore.
There is even a legal (in USA - GA) precident...  Port scans are not
illegal and you can NOT claim damages even if you expend resources and
money in response.

> -Matt

> -------------------------------------------------------
> This SF.net email is sponsored by: eBay
> Get office equipment for less on eBay!
> http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Attachment: _bin
Description: